Drop in security pros’ confidence they can beat attacks

Confidence among CSOs and security operations managers that their security infrastructure is up to date and that their organisations are able to thwart attacks has dropped, according to the latest edition of Cisco’s annual security report.

“In the face of more sophisticated threats, the Cisco study suggests that the confidence of security professionals appears to be flagging,” the report stated.

Some 59 per cent of respondents were confident their security infrastructure was up to date and constantly upgraded with the best technology available, down from 64 per cent in the previous edition of the report.

“Also, in 2014, 33 percent said their organizations were not equipped with the latest security tools; that number rose to 37 percent in 2015,” the report stated.

While 51 per cent of security pros surveyed for the report believed they can detect security weaknesses before they become full-blown incidents; only 45 percent are confident in their ability to determine the scope of a network compromise, and to remediate the damage, the report said.

Aging infrastructure has left organisations increasingly vulnerable to compromise, the report stated.

Of the 115,000 Cisco networking devices analysed for the study, 92 per cent were running known vulnerabilities. Thirty-one per cent of all devices analysed were no longer supported or maintained by the vendor.

One particular weak link for enterprise security are SMB partners.

These organisations use fewer threat defence tools and processes; for example, from 2014 to 2015 the number of SMBs that used Web security dropped more than 10 percentage points. The number using patching and configuration tools also dropped.

“Such weaknesses can place SMBs’ enterprise customers at risk, since attackers may more easily breach SMB networks,” the report stated.

Cisco security expert Anthony Stitt said that many organisations have increased security spending, and the survey noted an improvement in self-reported security maturity levels in Australia.

"We might expect this to translate to an increase in confidence levels. But I believe the prevalence of high-profile successful attacks (here and globally), combined with the everyday issue most organisations are facing with ransomware, is giving organisations the sense that maybe their security spending is not adequately addressing some problem areas like malware," he said.

Discussions with Australian customers show they are dealing with ransomware, spear phishing, email scams, and other attacks at an increasing rate.

"They haven’t made adequate investments in the ability to detect, scope, contain and remediate issues in a way that might lead them to have more confidence about dealing the problem," said Stitt.

He added that attackers keep reminding us that protective controls are not 100 per cent effective all the time.

"Maximising attack prevention should always be the goal, but we need to plan for "what-if” scenarios with effective incident response. Historically, detection and response were expensive and time consuming, so organisations have tried to avoid them by layering more protective controls. But this has led to problems managing and correlating all the information from these system – which is why most of the recent highly publicised breaches often report the presence of criminals in a network for hundreds of days before discovery."

Gartner recently called for a shift in focus for organisations from 90 per cent protection to 60 per cent protection and 40 per cent detection and response.

Stitt said this is an area Cisco is working on with automation and coordination so any organisation can discover, scope, contain and remediate compromised systems in a reasonable timeframe at a reasonable cost.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.